CHASING CHAOS RANSOMWARE — Unveiling 2017 Instagram Hack Incident!

Rakesh Krishnan
Coinmonks

--

NOTE: This is an in-depth Research on Chaos Ransomware (No Reversing Sample included as you can find plenty). Eventually the story develops to uncover a major Instagram Hack incident which targeted Belarus in 2017 and exposing the suspected threat actor at the end of this article, who is responsible for both Chaos Ransomware & 2017 Belarus Cyber Incident.

Criminal who does not get benefited from his/her initial fraudulent activity; always returns with refashioned fraudulent schemes by changing their strategies; if they are not busted yet(in case)!

INDEX

1. THE BEGINNING
2. TAILING DEVELOPER INSTRUCTION/RANSOM NOTE
3. BITCOIN WALLETS: Demands from multiple Variants
4. EMAIL ADDRESSES ANALYSIS
5. CHAOS-SUCCESSOR OF GIBON RANSOMWARE
6. IRANIAN CONNECTION
7. DECODING EMAIL ADDRESS
8. CONNECTING TO ROZBEH RANSOMWARE
9. MINDMAP-CONNECTING THE DOTS
10. ATTACKER EMAIL COMPROMISED
11. TRACING dingobongo1: EXPOSING 5-YEAR-OLD CYBER INCIDENT
12. UKRAINIAN CONNECTION: UNCOVERING CHAOS THREAT ACTORS
13. YASHMA, ONYX - SPIN-OFFS OF CHAOS
14. CONCLUSION
15. KEY-TAKEAWAYS
Fox is the representation of Untrustworthy, Greediness & Dishonesty | Img Credit: missmeliss.com

Chaos Ransomware also tells a similar story of repeated comebacks over the years without much success rate, but a high infectious rate.

Here, you can see the number of CHAOS detections:-

CHAOS Ransomware Detection

From the above list; it is relevant that this ransomware is still on rife and is making continuous comebacks to unaffected victims.

NOTE: The above shown list is from mid December, but Chaos is still on demand as various samples are being submitted on regular basis.

THE BEGINNING

Chaos Ransomware was spotted in various Dark Web forums and marketplaces in June 2021.

Later, it is being offered as Ryuk.net Ransomware Builder. In the meantime; Chaos had undergone various iterations with various versions out there such as v1, v2, v3, etc.

After analyzing the samples of both, Researchers had already established a connection between Chaos and Ryuk.net. Moreover, it is also evident from the GUI used by the threat actor.

Ryuk Ransomware (which appeared in 2018) does not have any active connection with Ryuk.Net Ransomware Builder; hence it’s a completely different project.

NOTE: Notably, this ransomware became a RaaS platform, only after the initial failures; which we will discuss later in this article. This also helps the creators of Chaos to redirect the investigative traffic to their affiliates; hence avoiding direct catch.

TAILING DEVELOPER INSTRUCTION/RANSOM NOTE

It is important to note that the content found in the Ransom Note or Developer Instructions help to conclude. Here we can extract information used such as Bitcoin Addresses or Email Addresses.

BITCOIN WALLETS: Demands from multiple Variants

While delving deep; it is found that Chaos Ransomware demands a ransom payment in 2 Wallet Addresses. They are:-

bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg (Ryuk.net)
bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0 (Yashma — Upgraded variant of Chaos)

From the above listed 2 Bitcoin Addresses; it can be withdrawn that bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg is used initially by many ransomwares in 2021.

Here is the list of Ransomwares who demands their ransom payment in Wallet-1:-

BIGGY LOCKER
APIS
GRU
UNLUCKYWARE
WARLOCKS
PAY US
DESIFRUJMUJPOCITAC2021
DECRYPT DELTA
RETRIEVE DATA 300

All the listed above Ransomwares demands their payment in the same Bitcoin Address and appeared in 2021.

While tailing bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0; it is found that this Bitcoin Wallet Address is being used by the latest variants of Chaos.

Here is the list of Ransomwares who demands their ransom payment in Wallet-2:-

YASHMA
NERO CORTEX
ROZBEH
CHAOS-AZAZEL
UNLOCK YOUR FILES

The above-listed ransomwares are found in 2022.

EMAIL ADDRESSES ANALYSIS

By tracking email addresses present in the Ransom note; we can extrapolate the information such as the medium to chat with the victims by Ransomware Groups. Hence, this plays another vital role in figuring out the the root of Ransomware Operations.

In the case of Chaos Ransomware, it is found that the group is using 2 sets of Email Addresses to communicate with their victims. They are:-

bomboms123@mail.ru 
yourfood20@mail.ru

bkhtyaryrwzbh@gmail.com

By drilling down the rabbit hole; it is found that the initial listed (2 email addresses: bomboms123@mail.ru and yourfood20@mail.ru) are being used by Ryuk.net, Chaos, and Gibon Ransomware.

CHAOS — SUCCESSOR OF GIBON RANSOMWARE

Notably, GIBON Ransomware appeared in 2017; 3 years before Chaos Ransomware.

It targets its victims via Malspam Campaigns by delivering macro-enabled documents to infect.

GIBON Admin Panel | Source: BleepingComputer

From the TOR site, it is evident that the GIBON Ransomware had used v2 of Onion Address which was prevalent back in 2017 and is obsolete nowadays as the TOR Project stopped supporting v2 Domains.

IRANIAN CONNECTION

By inspecting the 2nd email address: bkhtyaryrwzbh@gmail.com; we come to know that this email is used to negotiate with victims of EvilNominatus Ransomware which appeared in late 2021.

ClearSky Researchers had already established a connection between EvilNominatus with Iran as the initial sample was uploaded from Iran.

DECODING EMAIL ADDRESS

When I inspected the email address (bkhtyaryrwzbh@gmail.com) further; I split it into 2 parts namely:-

bkhtyary and rwzbh

Upon looking further it is found that the word “bkhtyary” is a Nomadic Tribe from Iran.

Wikipedia Page on Bakhtiari

As per the etymology; the term bakhtiari can be best translated as “companion of fortune” or “bearer of good luck”.

Now, moving to the 2nd half “rwzbh” can be roughly spelled as “Rozbeh”; which resulted in the translation “fortunate” in Persian.

Both these parameters solidify that the group is an Iranian Origin.

CONNECTING TO ROZBEH RANSOMWARE

Notably, the same name (Rozbeh) is used by the threat actor while uploading malicious samples to the VirusTotal platform in 2021.

Developer’s Comment on EvilNominatus

Moreover, a Ransomware named “ROZBEH” appeared in 2022. Eventually, many more spin-offs for Rozbeh appeared namely: EvilNominatusCrypt, RozbehCrypt, NominatusStrike, RozbehofSatan, Quax0r, etc.

It is interesting to note that the developer of this ransomware disguises this as Performance Booster in the comment section of the VT platform to target more users.

NOTE: EvilNominatus is targeting Windows Environment, coded in Visual C#/.NET environment. The initial sample MD5: a07ad47b052c812a2c2da5b1787855f4 was uploaded to VT on 27th December 2021.

Upon observing the comments from VT; it is found that the threat actor mainly focuses on Online Gaming and Cryptojacking arenas to target their victims.

MINDMAP — CONNECTING THE DOTS

I have prepared a MindMap on Chaos Ransomware to get a gist of the timeline of Chaos Ransomware:-

CHAOS RANSOMWARE MINDMAP

NOTE: There is a ransomware variant missing in the above chart which is “UNLOCKYOURFILES” that appeared in 2021 demanding ransom in bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0.

ATTACKER EMAIL COMPROMISED

In May 2018, the Russian hacking forum Lolzteam suffered a data breach exposing 400k members. Among the users; I spotted Chaos Ransomware email address yourfood20@mail.ru in the list.

Lolzteam Data Leak

We can’t trust the Location here. But the username used here is “dingobongo1”.

TRACING dingobongo1: EXPOSING 5-YEAR-OLD CYBER INCIDENT

While doing a deep dive into the username; it is found that the threat actor maintains another email address: dingobongo1@yandex.ru which dates back to 2016.

In August 2017; it is found that the attacker had compromised popular Belarusian Market Komarovsky‘s Instagram account via Phishing, which was carried out with the same email address.

Google Search Result: Komarovsky Market

As per the Belarusian Media; the following is the comment for the threat actor once busted:-

The attacker’s actions can be classified not only as “unauthorized access to computer information” (Article 349 of the Criminal Code of the Republic of Belarus), but also as “computer sabotage” (Article 351), since the hacker not only gained unauthorized access, but also changed the password and blocked the account. According to the first article, the hacker faces up to 7 years of imprisonment, according to the second — up to 10 years.

While tracing down this email address, it is found that the threat actor was previously associated with hacking various Instagram Accounts; demanding 15K Rubles as Ransom. The threat actor had registered multiple phishing sites targeting the Instagram platform. Some of them are:-

Lnstagram.com
instaNrgam.com
intsagARm.com

From the list above; it is clear that the threat actor had used Domain Squatting Technique to lure genuine users. For say:- “L” instead of “I” on Instagram could be confusing for netizens at an initial glance.

The impact of the Phishing Site Lnstagram.com is colossal as it is found that there were 4,800+ profiles got created in a short period; without realizing that the platform is fake.

Fake Site: Lnstagram.com (Report from WBM)

UKRAINIAN CONNECTION: UNCOVERING CHAOS THREAT ACTORS

It is evident from the above incident that the threat actors involved in Instagram Phishing Service were actively involved in the development of Chaos Ransomware as the threat actor had used the same username (dingobongo1) on a Russian Underground Forum Lolzteam with the same email address (yourfood20@mail.ru) which is used to communicate with the victims of Chaos Ransomware.

While tailing up the registrant details used in the Typo-squatted Instagram Domain (lnstagram.com); the following details are found:-

lnstagram.com

Registrant Email: dingobongo1@yandex.ru
Registry Admin ID: UANS-00001271741
Admin Name: Anton Popov
Admin Organization: Private person
Admin Street: 34789, Kharkov, Sumskaya, 90, 90 https://goo.gl/2VwEk9
Admin City: Kharkov
Admin State/Province: Kharkovskaya
Admin Postal Code: 34789
Admin Country: UKRAINE
Admin Phone: +380.663276512

From the registrant details; it is found that the threat actor is ANTON POPOV who resides in Kharkov, Ukraine.

From the Residential Records of Ukrainian Nationals; it can be confirmed that the address given by the threat actor is genuine as it gave an exact match of Telephone Number.

Ukrainian Residential Record

Upon checking Truecaller, it is found that the threat actor is using the Vodafone Ukraine service.

Truecaller LookUp

From the Truecaller records, we can understand that the threat actor had used the name “Lys” in Ukrainian.

NOTE: There is a high chance that Anton Popov may be a pseudo-identity maintained by the threat actor to perform malicious activities.

Now, moving to the 2nd Instagram Typo-Squatted domain Instalgarm.com. The following details are obtained about the threat actor:-

Instalgarm.com

Registrant Email: dingobongo3@yandex.ru
Registry Admin ID:
Admin Name: Andrew Sobolev
Admin Organization:
Admin Street: Deribasivska str
Admin City: Odessa
Admin State/Province: Odesskaya obl
Admin Postal Code: 34980
Admin Country: UA
Admin Phone: +380.380956789234

Registrant name is ANDREW SOBOLEV; which is tied to this domain name at the time of registration in 2017.

As the threat actor is from CIS Country; I chose to look up at the popular Social Media platform VK, and found that this ID is being attached to the phone number:-

VK Profile of Vanya Evdokimenko

From the social media platform; it is found that the threat actor used pseudo identity Andrew Sobolev and his real name is VANYA EVDOKIMENKO(26). It is also evident from the post that the threat actor had moved to Kyiv (the Capital City of Ukraine) from Odessa province.

Upon looking further, I bumped into this; as clear pictures of Threat Actor is found.

Personal details of the Threat Actor

From the above post; it is found that the suspected threat actor had used Android Device to log into the platform in 2018.

From the above details, we can conclude that the threat actor(s) are from Ukraine.

Following are the Hosting Details of Instalgarm.com:-

Hosting Details of Phishing Site

NOTE: HostUS is a popular VPS Provider; to conceal real identity.

Here, we can see that there are 2 connections with Chaos Ransomware — Iran and Ukraine.

CHAOS RANSOMWARE — GLOBAL CONNECTION CHART

From the above analysis; it can be assumed that the wallet:-

-> Ukraine Team holds the wallet: bc1qw0ll8p9m8uezhqhyd7z459ajrk722yn8c5j4fg

-> Iran Team holds the wallet: bc1qlnzcep4l4ac0ttdrq7awxev9ehu465f2vpt9x0

There is no active collaboration between the 2 teams; however, Iran might have taken a spin-off of the Chaos Ransomware platform and used it to infect users by supplying their bitcoin wallet addresses.

YASHMA, ONYX — SPIN-OFFS OF CHAOS

In April 2022; Onyx Ransomware surfaced on various forums. Upon analysis; it is found that the same is being developed from the codebase of Chaos Ransomware.

In May 2022; the developer of Chaos Ransomware began to rebrand it as Yashma Ransomware on various Dark Web forums.

Yashma advertised on Dark Web Forum

After analyzing Yashma; it is found that it has more code matches from Hidden Tear — An Open Source Ransomware project which was mainly used by Turk Hack Team previously. From the term “Yashma”; we can figure out that this spin-off originated from Iran Team as the term’s actual meaning is “Beautiful” or an Islamic Girl Name.

NOTE: More details about Yashma which I uncovered can be found in this paste.

In July 2022; Emisoft released free decryptors for Yashma Ransomware.

CONCLUSION

As the Chaos/Yashma Ransomware builders are available on various platforms; there is a high chance that many more Ransomware variant spin-offs will emerge from the floating builders. But not everything can be connected back to Iran or Ukraine. It depends on various factors (listed in this article) to conclude.

NOTE: I have personally reported this incident to Belarus & Ukraine CERT Team, awaiting response.

KEY-TAKEAWAYS

>Cyber Criminals always come up with novice strategies when their techniques get obsolete.
>The same thing happened with Chaos Ransomware operators who emerged in 2021.
>Chaos Ransomware began to get advertised on various hacking forums and marketplaces in 2021.
>It is being promoted as Ryuk.net variant; which does not have any connection with the infamous RYUK Ransomware
>Chaos Ransomware demands a ransom in 2 Bitcoin Wallet Addresses.
>Upon investigation; it is found that 2 teams spread Chaos Ransomware.
>The original developers of Chaos Ransomware are suspected from Ukraine. 2nd Team is from Iran.
>Both teams had made various spin-offs of Chaos Ransomware from 2021 and began targeting various industries and countries.
>GIBON Ransomware which appeared in 2017 is traced back to the developers of Chaos Ransomware
>Original Chaos Developer’s email (which was present in Lolzteam Forum) got compromised in May 2018.
>The username used by suspected Chaos Developer (in Lolzteam Forum) was directly involved with the compromise of a Belarusian Market’s Instagram account in 2017.
>It can be assumed that Chaos Developers earlier associated with Instagram Account Hacking by Phishing and by creating Type-Squatted Domains of Instagram in 2017.
>One of the threat actors had been uncovered as VANYA EVDOKIMENKO, a 26- year-old from Ukraine.
> Yashma and Onyx are spin-offs forked from Chaos Project.

Such type of Crimes happens timely; here is my another Research Article on Dark Web where Cyber Criminals NEVER Retires!

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

New to trading? Try crypto trading bots or copy trading on best crypto exchanges

--

--

Rakesh Krishnan
Coinmonks

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.